Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
335
Views
0
Helpful
2
Replies

pix to checkpoint with overlapping address space

justin.donoghue
Level 1
Level 1

‎06-30-2004 08:42 AM - edited ‎02-20-2020 11:29 PM

Hi I have a problem with a pix connecting to a checkpoint. both ends are in the 192.168.1.0 address range. My question is can I NAT before I go over the IPSEC tunnel on the PIX? At the moment there is NAT on the pix for internet access.All configs I see do NAT 0 for vpn traffic on the Pix i.e non overlapping address space. I need to NAT to another range before I go over the tunnel and the far side needs to see me as that range.? Is this possible do you think and if so could anyone post an example? Thanks in advance

0 Helpful
2 Replies 2

ehirsel
Level 6
Level 6

‎07-01-2004 09:45 AM

Yes, you can NAT and/or PAT on the pix before you cross the IPSec tunnel that has one end terminated on it. The crypto map on the pix needs to refer to the NAT/PAT'ed address(es) as the source, not the true inside address.

What pix version are you running? I know that pix 6.3 can allow you to do policy nat, that is nat to one address for Internet access, and nat to another for the IPSec VPN connection. This may be of use for you, or not, depending upon how the other side expects to see you (another set of RFC 1918 addresses or the public address assigned for Inet).

I am assuming that the other side does not need to access resources on your network - is most cases each side needs to access resources on the other so that is why NAT 0 for vpn traffic is done - some protocols do not work well with nat, plus there can be some dns/name service issues too.

Here is an example of your net connecting to the remote net over ipsec using PAT:

On your pix:

nat (inside) 34 access-list remotenet_nat_01 0 0

global (outside) 34 a.b.c.d - where a.b.c.d is what the remote net sees you as

access-list remotenet_nat_01 permit ip y.y.y.y ym.ym.ym.ym r.r.r.r rm.rm.rm.rm - where y and ym are your network and net mask before nat/pat and r and rm is for the remote network

access-list cmap_acl permit ip host a.b.c.d r.r.r.r rm.rm.rm.rm - this is the acl that defines interesting traffic for ipsec and the other end needs a mirror image of this acl in their crypto map. Note that the source host a.b.c.d matches the global (outside) 34 statement as it is the nat/pat address that the other side expect you to be.

0 Helpful

justin.donoghue
Level 1
Level 1
In response to ehirsel

‎07-05-2004 05:48 AM

Thanks this has been a great help. I'm trying to simulate the checkpoint (I don't have control over it) by using a router as the remote end but it seems I'm only getting the interesting traffic to kick off the vpn negotiation one way (when I ping from router to pix) once the vpn is established I then get ping connectivity both ways which is strange. This vpn eventually will be used for just ftp and will only need to be initiated from the Pix side of the tunnel.

Thanks again, J

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card